Lucene search
K

32 matches found

CVE
CVE
added yesterday9 views

CVE-2026-14535

The CVE affects Trail of Bits fickling up to version 0.1.11. The UnsafeImportsML analysis pass always calls AnalysisContext.shorten_code(node), populating shared AnalysisContext.reported_shortened_code. When MLAllowlist runs, it sees already_reported=True for every import and skips its allowlist ...

8.8CVSS5.9AI score
Exploits0References4
EUVD
EUVD
added yesterday7 views

EUVD-2026-41676

In Trail of Bits fickling versions up to and including 0.1.11, the UnsafeImportsML analysis pass unconditionally calls AnalysisContext.shortencodenode on every import node it inspects, regardless of whether the import is flagged as unsafe. This call registers the shortened code representation in...

8.8CVSS5.9AI score
Exploits0References4
EUVD
EUVD
added yesterday6 views

EUVD-2026-41675

Trail of Bits fickling versions up to and including 0.1.10 do not include the Python standard library modules posixsubprocess, site, and atexit in the UNSAFEIMPORTS denylist fickle.py. Because these modules are absent from the denylist, fickling's checksafety function returns LIKELYSAFE with zero...

8.8CVSS5.8AI score
Exploits0References4
CVE
CVE
added yesterday8 views

CVE-2026-14534

The CVE-2026-14534 issue affects the Python package fickling, up to version 0.1.10. The root cause is that the UNSAFE_IMPORTS denylist omits three standard library modules — _posixsubprocess, site, and atexit — causing check_safety() to return LIKELY_SAFE and allowing pickle payloads to deseriali...

8.8CVSS5.8AI score
Exploits0References4
Snyk
Snyk
added 2026/03/04 9:31 p.m.3 views

Incomplete List of Disallowed Inputs

Overview fickling is an A static analyzer and interpreter for Python pickle data Affected versions of this package are vulnerable to Incomplete List of Disallowed Inputs in the UNSAFEIMPORTS list. An attacker can execute arbitrary system commands by crafting a malicious pickle file that imports...

10CVSS6AI score
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/03/04 9:31 p.m.7 views

Fickling missing RCE-capable modules in UNSAFE_IMPORTS

Assessment The modules uuid, osxsupport and aixsupport were added to the blocklist of unsafe imports https://github.com/trailofbits/fickling/commit/ffac3479dbb97a7a1592d85991888562d34dd05b. Original report Summary fickling's UNSAFEIMPORTS blocklist is missing at least 3 stdlib modules that provid...

6AI score
Exploits0References3Affected Software1
OSV
OSV
added 2026/03/04 9:31 p.m.8 views

GHSA-5HWF-RC88-82XM Fickling missing RCE-capable modules in UNSAFE_IMPORTS

Assessment The modules uuid, osxsupport and aixsupport were added to the blocklist of unsafe imports https://github.com/trailofbits/fickling/commit/ffac3479dbb97a7a1592d85991888562d34dd05b. Original report Summary fickling's UNSAFEIMPORTS blocklist is missing at least 3 stdlib modules that provid...

9.3CVSS6AI score
Exploits0References3
OSV
OSV
added 2026/02/20 6:24 p.m.6 views

GHSA-83PF-V6QQ-PWMR Fickling has a detection bypass via stdlib network-protocol constructors

Our assessment imtplib, imaplib, ftplib, poplib, telnetlib, and nntplib were added to the list of unsafe imports https://github.com/trailofbits/fickling/commit/6d20564d23acf14b42ec883908aed159be7b9ade. The UnusedVariables heuristic works as expected. Original report Summary Fickling's checksafety...

2.3CVSS5.9AI score
Exploits0References4
Github Security Blog
Github Security Blog
added 2026/02/20 6:24 p.m.11 views

Fickling has a detection bypass via stdlib network-protocol constructors

Our assessment imtplib, imaplib, ftplib, poplib, telnetlib, and nntplib were added to the list of unsafe imports https://github.com/trailofbits/fickling/commit/6d20564d23acf14b42ec883908aed159be7b9ade. The UnusedVariables heuristic works as expected. Original report Summary Fickling's checksafety...

5.8AI score
Exploits0References4Affected Software1
Veracode
Veracode
added 2026/01/20 10:2 a.m.6 views

Improper Security Checks For Unsafe Imports

Fickling is vulnerable to improper security checks for unsafe imports. The vulnerability is due to incomplete validation in the unsafeimports method of the static analyzer, which fails to flag certain high-risk Python modules, allowing an attacker to craft malicious pickle files that bypass safet...

9.3CVSS6.1AI score0.00554EPSS
Exploits1References10Affected Software1
RedhatCVE
RedhatCVE
added 2026/01/13 10:52 p.m.4 views

CVE-2026-22609

Fickling is a Python pickling decompiler and static analyzer. Prior to version 0.1.7, the unsafeimports method in Fickling's static analyzer fails to flag several high-risk Python modules that can be used for arbitrary code execution. Malicious pickles importing these modules will not be detected...

9.3CVSS8.1AI score0.00554EPSS
Exploits1References1
OSV
OSV
added 2026/01/10 1:35 a.m.4 views

CVE-2026-22609 Fickling has Static Analysis Bypass via Incomplete Dangerous Module Blocklist

Fickling is a Python pickling decompiler and static analyzer. Prior to version 0.1.7, the unsafeimports method in Fickling's static analyzer fails to flag several high-risk Python modules that can be used for arbitrary code execution. Malicious pickles importing these modules will not be detected...

9.3CVSS7.9AI score0.00554EPSS
Exploits1References8
Cvelist
Cvelist
added 2026/01/10 1:35 a.m.31 views

CVE-2026-22609 Fickling has Static Analysis Bypass via Incomplete Dangerous Module Blocklist

Fickling is a Python pickling decompiler and static analyzer. Prior to version 0.1.7, the unsafeimports method in Fickling's static analyzer fails to flag several high-risk Python modules that can be used for arbitrary code execution. Malicious pickles importing these modules will not be detected...

9.3CVSS0.00554EPSS
Exploits1References6
CVE
CVE
added 2026/01/10 1:35 a.m.17 views

CVE-2026-22609

Affected software/issue: Fickling (Python pickling decompiler/static analyzer) prior to v0.1.7. Root cause: unsafe_imports() in the static analyzer fails to flag several high-risk modules, allowing malicious pickles to bypass safety checks. Impact (as stated): potential arbitrary code execution v...

9.3CVSS7.8AI score0.00554EPSS
Exploits1References6Affected Software1
Positive Technologies
Positive Technologies
added 2026/01/10 12:0 a.m.5 views

PT-2026-2229

Name of the Vulnerable Software and Affected Versions Fickling versions prior to 0.1.7 Description Fickling is a Python pickling decompiler and static analyzer. Prior to version 0.1.7, the unsafe imports method within Fickling’s static analyzer does not identify several high-risk Python modules...

9.3CVSS7.7AI score0.00554EPSS
Exploits1References10
OSV
OSV
added 2026/01/09 9:12 p.m.2 views

GHSA-Q5QQ-MVFM-J35X Fickling has Static Analysis Bypass via Incomplete Dangerous Module Blocklist

Fickling's assessment ctypes, importlib, runpy, code and multiprocessing were added the list of unsafe imports https://github.com/trailofbits/fickling/commit/9a2b3f89bd0598b528d62c10a64c1986fcb09f66, https://github.com/trailofbits/fickling/commit/eb299b453342f1931c787bcb3bc33f3a03a173f9,...

9.3CVSS6.2AI score0.00554EPSS
Exploits1References11
Snyk
Snyk
added 2026/01/09 9:12 p.m.2 views

Deserialization of Untrusted Data

Overview fickling is an A static analyzer and interpreter for Python pickle data Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the unsafeimports function. An attacker can execute arbitrary code by supplying a malicious pickle that imports dangerous...

9.3CVSS8AI score0.00554EPSS
Exploits1References3
OSV
OSV
added 2026/01/09 9:5 p.m.2 views

GHSA-5HVC-6WX8-MVV4 Fickling vulnerable to use of ctypes and pydoc gadget chain to bypass detection

Fickling's assessment pydoc and ctypes were added to the list of unsafe imports https://github.com/trailofbits/fickling/commit/b793563e60a5e039c5837b09d7f4f6b92e6040d1. Original report Summary Both ctypes and pydoc modules arent explictly blocked. Even other existing pickle scanning tools like...

9.3CVSS5.9AI score0.00346EPSS
Exploits0References8
Github Security Blog
Github Security Blog
added 2026/01/09 9:4 p.m.9 views

Fickling Blocklist Bypass: cProfile.run()

Fickling's assessment cProfile was added to the list of unsafe imports https://github.com/trailofbits/fickling/commit/dc8ae12966edee27a78fe05c5745171a2b138d43. Original report Description Summary Fickling versions up to and including 0.1.6 do not treat Python's cProfile module as unsafe. Because ...

9.3CVSS8.2AI score0.0044EPSS
Exploits1References11Affected Software1
OSV
OSV
added 2026/01/09 9:4 p.m.3 views

GHSA-P523-JQ9W-64X9 Fickling Blocklist Bypass: cProfile.run()

Fickling's assessment cProfile was added to the list of unsafe imports https://github.com/trailofbits/fickling/commit/dc8ae12966edee27a78fe05c5745171a2b138d43. Original report Description Summary Fickling versions up to and including 0.1.6 do not treat Python's cProfile module as unsafe. Because ...

9.3CVSS6.4AI score0.0044EPSS
Exploits1References11
Rows per page
Query Builder